A typical operating system does not know what executable software resides on the machine nor does it know what resources are needed by the software to execute. An application that is written to be run by such an operating system typically assumes that it will have access to a global namespace. The global namespace is used to resolve names and to obtain values and resources. A number of drawbacks are associated with use of a global namespace. Firstly, use of a global namespace makes it difficult to isolate applications so that one application does not maliciously or unintentionally affect another application during concurrent execution. For example, a first application may store its state in a file of a particular name in the global namespace. A second application may store its state in the same file. If the applications execute at the same time, each application's state may be overwritten by the other's. Secondly, machine resources accessed via a global namespace are shared by all the applications running on the machine. Because the application is able to find any resource in the global namespace, the application is potentially able to access and use it. Access to the resources is typically controlled by ACLs (access control lists). Access is allowed or refused based on an administrative function that associates access privileges with the identity of the user. The operating system does not control access to resources based on the application making the request and is unable to determine what resources a program needs. It follows that an application may well have access to resources that it does not need, enabling a malicious program to compromise the integrity of the system. The operating system is unable to prevent this from happening.